SYMBOLCOMMON_NAMEaka. SYNONYMS

Lazarus Group  (Back to overview)

aka: Operation DarkSeoul, Dark Seoul, Hidden Cobra, Hastati Group, Andariel, Unit 121, Bureau 121, NewRomanic Cyber Army Team, Bluenoroff, Subgroup: Bluenoroff, Group 77, Labyrinth Chollima, Operation Troy, Operation GhostSecret, Operation AppleJeus, APT38, APT 38, Stardust Chollima, Whois Hacking Team, Zinc, Appleworm, Nickel Academy, APT-C-26, NICKEL GLADSTONE

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.


Associated Families
aix.fastcash apk.badcall apk.hardrain js.quickcafe osx.casso osx.unidentified_001 osx.watchcat ps1.powerbrace ps1.powerspritz win.blindtoad win.buffetline win.cleantoad win.dacls win.dratzarus win.power_ratankba win.op_blockbuster win.hardrain win.alphanc win.applejeus win.wormhole win.cheesetray win.artfulpie osx.yort win.wannacryptor win.unidentified_077 win.volgmer win.brambul win.contopee win.ratankba win.phandoor win.hotcroissant win.keymarble win.dyepack win.romeos win.bootwreck win.bravonc win.hoplight win.darkcomet osx.applejeus win.bitsran win.neddnloader win.pslogger win.blindingcan win.nestegg win.unidentified_063 win.joanap win.sierras win.redshawl win.bistromath win.hermes win.hotwax win.ratankbapos win.electricfish win.bankshot osx.dacls win.badcall win.alreay win.rifdoor win.deltas win.duuzer win.killdisk win.nachocheese win.slickshoes win.unidentified_042 win.ghost_rat win.dtrack win.crat

References
2020-11-16ESET ResearchAnton Cherepanov, Peter Kálnai
@online{cherepanov:20201116:lazarus:6b90a77, author = {Anton Cherepanov and Peter Kálnai}, title = {{Lazarus supply‑chain attack in South Korea}}, date = {2020-11-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/}, language = {English}, urldate = {2020-11-18} } Lazarus supply‑chain attack in South Korea
Lazarus Group
2020-11-12TalosAsheer Malhotra
@online{malhotra:20201112:crat:1761f4e, author = {Asheer Malhotra}, title = {{CRAT wants to plunder your endpoints}}, date = {2020-11-12}, organization = {Talos}, url = {https://blog.talosintelligence.com/2020/11/crat-and-plugins.html}, language = {English}, urldate = {2020-11-18} } CRAT wants to plunder your endpoints
CRAT
2020-11-03Kaspersky LabsGReAT
@online{great:20201103:trends:febc159, author = {GReAT}, title = {{APT trends report Q3 2020}}, date = {2020-11-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q3-2020/99204/}, language = {English}, urldate = {2020-11-04} } APT trends report Q3 2020
WellMail EVILNUM Janicab Poet RAT AsyncRAT Ave Maria Cobalt Strike Crimson RAT CROSSWALK Dtrack LODEINFO MoriAgent Okrum PlugX poisonplug Rover ShadowPad SoreFang Winnti
2020-10-27Dr.WebDr.Web
@techreport{drweb:20201027:study:9f6e628, author = {Dr.Web}, title = {{Study of the ShadowPad APT backdoor and its relation to PlugX}}, date = {2020-10-27}, institution = {Dr.Web}, url = {https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf}, language = {English}, urldate = {2020-10-29} } Study of the ShadowPad APT backdoor and its relation to PlugX
Ghost RAT PlugX ShadowPad
2020-09-29JPCERT/CCShusei Tomonaga
@online{tomonaga:20200929:blindingcan:a85ca22, author = {Shusei Tomonaga}, title = {{BLINDINGCAN - Malware Used by Lazarus}}, date = {2020-09-29}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html}, language = {English}, urldate = {2020-10-02} } BLINDINGCAN - Malware Used by Lazarus
BLINDINGCAN Lazarus Group
2020-09-15CrowdStrikeCrowdStrike Overwatch Team
@techreport{team:20200915:nowhere:284220e, author = {CrowdStrike Overwatch Team}, title = {{Nowhere to Hide - 2020 Threat Hunting Report}}, date = {2020-09-15}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf}, language = {English}, urldate = {2020-09-21} } Nowhere to Hide - 2020 Threat Hunting Report
NedDnLoader RDAT TRACER KITTEN
2020-08-31SentinelOneJim Walter
@online{walter:20200831:blindingcan:cdb0ffc, author = {Jim Walter}, title = {{The BLINDINGCAN RAT and Malicious North Korean Activity}}, date = {2020-08-31}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/}, language = {English}, urldate = {2020-09-01} } The BLINDINGCAN RAT and Malicious North Korean Activity
BLINDINGCAN
2020-08-31JPCERT/CCShusei Tomonaga
@online{tomonaga:20200831:malware:18b1228, author = {Shusei Tomonaga}, title = {{Malware Used by Lazarus after Network Intrusion}}, date = {2020-08-31}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html}, language = {English}, urldate = {2020-09-04} } Malware Used by Lazarus after Network Intrusion
Lazarus Group
2020-08-26CISACISA
@online{cisa:20200826:mar103017061v1:735a8fc, author = {CISA}, title = {{MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a}, language = {English}, urldate = {2020-09-01} } MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON
PSLogger
2020-08-26CISACISA
@online{cisa:20200826:mar103017062v1:e64b3ac, author = {CISA}, title = {{MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT}}, date = {2020-08-26}, organization = {CISA}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b}, language = {English}, urldate = {2020-09-01} } MAR-10301706-2.v1 - North Korean Remote Access Tool: VIVACIOUSGIFT
NACHOCHEESE
2020-08-19US-CERTUS-CERT
@online{uscert:20200819:malware:63a2025, author = {US-CERT}, title = {{Malware Analysis Report (AR20-232A)}}, date = {2020-08-19}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a}, language = {English}, urldate = {2020-09-01} } Malware Analysis Report (AR20-232A)
Bankshot BLINDINGCAN
2020-08-13ClearSkyClearSky Research Team
@techreport{team:20200813:operation:429bf86, author = {ClearSky Research Team}, title = {{Operation ‘Dream Job’ Widespread North Korean Espionage Campaign}}, date = {2020-08-13}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf}, language = {English}, urldate = {2020-08-14} } Operation ‘Dream Job’ Widespread North Korean Espionage Campaign
DRATzarus
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcashand:301d8ce, author = {Kevin Perlow}, title = {{FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf}, language = {English}, urldate = {2020-08-14} } FASTCashand INJX_PURE: How Threat Actors Use Public Standards for Financial Fraud
FastCash
2020-08-05BlackHatKevin Perlow
@techreport{perlow:20200805:fastcash:5e6b73a, author = {Kevin Perlow}, title = {{FASTCash and Associated Intrusion Techniques}}, date = {2020-08-05}, institution = {BlackHat}, url = {https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf}, language = {English}, urldate = {2020-08-14} } FASTCash and Associated Intrusion Techniques
FastCash
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-08TG SoftTG Soft
@online{soft:202008:tg:88b671c, author = {TG Soft}, title = {{TG Soft Cyber - Threat Report}}, date = {2020-08}, organization = {TG Soft}, url = {https://www.tgsoft.it/files/report/download.asp?id=7481257469}, language = {Italian}, urldate = {2020-09-15} } TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-07-28Kaspersky LabsIvan Kwiatkowski, Pierre Delcher, Félix Aime
@online{kwiatkowski:20200728:lazarus:5b1523a, author = {Ivan Kwiatkowski and Pierre Delcher and Félix Aime}, title = {{Lazarus on the hunt for big game}}, date = {2020-07-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/}, language = {English}, urldate = {2020-07-30} } Lazarus on the hunt for big game
Dacls Dacls Dacls VHD Ransomware
2020-07-28NTTNTT Security
@online{security:20200728:craftypanda:7643b28, author = {NTT Security}, title = {{CraftyPanda 標的型攻撃解析レポート}}, date = {2020-07-28}, organization = {NTT}, url = {https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report}, language = {Japanese}, urldate = {2020-07-30} } CraftyPanda 標的型攻撃解析レポート
Ghost RAT PlugX
2020-07-27SentinelOnePhil Stokes
@online{stokes:20200727:four:9d80c60, author = {Phil Stokes}, title = {{Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform}}, date = {2020-07-27}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/}, language = {English}, urldate = {2020-07-30} } Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform
AppleJeus Casso Dacls WatchCat
2020-07-22Kaspersky LabsGReAT
@online{great:20200722:mata:591e184, author = {GReAT}, title = {{MATA: Multi-platform targeted malware framework}}, date = {2020-07-22}, organization = {Kaspersky Labs}, url = {https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/}, language = {English}, urldate = {2020-07-23} } MATA: Multi-platform targeted malware framework
Dacls Dacls Dacls
2020-07-20Risky.bizDaniel Gordon
@online{gordon:20200720:what:b88e81f, author = {Daniel Gordon}, title = {{What even is Winnti?}}, date = {2020-07-20}, organization = {Risky.biz}, url = {https://risky.biz/whatiswinnti/}, language = {English}, urldate = {2020-08-18} } What even is Winnti?
CCleaner Backdoor Ghost RAT PlugX ZXShell
2020-06-28Twitter (@ccxsaber)z3r0
@online{z3r0:20200628:sample:8355378, author = {z3r0}, title = {{Tweet on Sample}}, date = {2020-06-28}, organization = {Twitter (@ccxsaber)}, url = {https://twitter.com/ccxsaber/status/1277064824434745345}, language = {English}, urldate = {2020-07-15} } Tweet on Sample
Unidentified 077 (Lazarus Downloader)
2020-06-23ReversingLabsKarlo Zanki
@online{zanki:20200623:hidden:807b898, author = {Karlo Zanki}, title = {{Hidden Cobra - from a shed skin to the viper’s nest}}, date = {2020-06-23}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/hidden-cobra}, language = {English}, urldate = {2020-06-23} } Hidden Cobra - from a shed skin to the viper’s nest
Bankshot PEBBLEDASH TAINTEDSCRIBE
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-06-05PrevailionDanny Adamitis
@online{adamitis:20200605:gh0st:849c227, author = {Danny Adamitis}, title = {{The Gh0st Remains the Same}}, date = {2020-06-05}, organization = {Prevailion}, url = {https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html}, language = {English}, urldate = {2020-06-08} } The Gh0st Remains the Same
Ghost RAT
2020-06-04PTSecurityPT ESC Threat Intelligence
@online{intelligence:20200604:covid19:45fa7ba, author = {PT ESC Threat Intelligence}, title = {{COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group}}, date = {2020-06-04}, organization = {PTSecurity}, url = {https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/}, language = {English}, urldate = {2020-06-05} } COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group
Ghost RAT
2020-05-12US-CERTUS-CERT
@online{uscert:20200512:mar102888341v1:e6e6a28, author = {US-CERT}, title = {{MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE}}, date = {2020-05-12}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-133a}, language = {English}, urldate = {2020-05-14} } MAR-10288834-1.v1 – North Korean Remote Access Tool: COPPERHEDGE
Bankshot
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:aa2bbd7, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability}, language = {English}, urldate = {2020-06-03} } New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-11Trend MicroGabrielle Joyce Mabutas, Kazuki Fujisawa
@online{mabutas:20200511:new:e25ce4e, author = {Gabrielle Joyce Mabutas and Kazuki Fujisawa}, title = {{New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability}}, date = {2020-05-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/}, language = {English}, urldate = {2020-05-11} } New MacOS Dacls RAT Backdoor Show Lazarus’ Multi-Platform Attack Capability
Dacls
2020-05-07AVARMark Lechtik, Ariel Jugnheit
@online{lechtik:20200507:north:3cfaf43, author = {Mark Lechtik and Ariel Jugnheit}, title = {{The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market}}, date = {2020-05-07}, organization = {AVAR}, url = {https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view}, language = {English}, urldate = {2020-05-07} } The North Korean AV Anthology: a unique look on DPRK’s Anti-Virus market
Volgmer
2020-05-06MalwarebytesHossein Jazi, Thomas Reed, Jérôme Segura
@online{jazi:20200506:new:7723083, author = {Hossein Jazi and Thomas Reed and Jérôme Segura}, title = {{New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app}}, date = {2020-05-06}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/}, language = {English}, urldate = {2020-05-07} } New Mac variant of Lazarus Dacls RAT distributed via Trojanized 2FA app
Dacls
2020-05-05Objective-SeePatrick Wardle
@online{wardle:20200505:dacls:b9f2391, author = {Patrick Wardle}, title = {{The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant}}, date = {2020-05-05}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x57.html}, language = {English}, urldate = {2020-05-07} } The Dacls RAT ...now on macOS! deconstructing the mac variant of a lazarus group implant
Dacls
2020-04-16VMWare Carbon BlackScott Knight
@online{knight:20200416:evolution:39b90c0, author = {Scott Knight}, title = {{The Evolution of Lazarus}}, date = {2020-04-16}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/}, language = {English}, urldate = {2020-04-17} } The Evolution of Lazarus
HOTCROISSANT Rifdoor
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare Axiom
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:0bf422f, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 2}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-2}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 2
Brambul
2020-02-26MetaSwan's LabMetaSwan
@online{metaswan:20200226:lazarus:1cacde4, author = {MetaSwan}, title = {{Lazarus group's Brambul worm of the former Wannacry - 1}}, date = {2020-02-26}, organization = {MetaSwan's Lab}, url = {https://metaswan.github.io/posts/Malware-Lazarus-group's-Brambul-worm-of-the-former-Wannacry-1}, language = {English}, urldate = {2020-02-26} } Lazarus group's Brambul worm of the former Wannacry - 1
Brambul WannaCryptor
2020-02-25SentinelOneJim Walter
@online{walter:20200225:dprk:735f095, author = {Jim Walter}, title = {{DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity}}, date = {2020-02-25}, organization = {SentinelOne}, url = {https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/}, language = {English}, urldate = {2020-02-27} } DPRK Hidden Cobra Update: North Korean Malicious Cyber Activity
ARTFULPIE BISTROMATH BUFFETLINE CHEESETRAY HOPLIGHT HOTCROISSANT SLICKSHOES
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-02-22Objective-SeePatrick Wardle
@online{wardle:20200222:weaponizing:ea810ff, author = {Patrick Wardle}, title = {{Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads}}, date = {2020-02-22}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x54.html}, language = {English}, urldate = {2020-02-27} } Weaponizing a Lazarus Group Implant: repurposing a 1st-stage loader, to execute custom 'fileless' payloads
AppleJeus
2020-02-19LexfoLexfo
@techreport{lexfo:20200219:lazarus:f293c37, author = {Lexfo}, title = {{The Lazarus Constellation A study on North Korean malware}}, date = {2020-02-19}, institution = {Lexfo}, url = {https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf}, language = {English}, urldate = {2020-03-11} } The Lazarus Constellation A study on North Korean malware
FastCash AppleJeus BADCALL Bankshot Brambul Dtrack Duuzer DYEPACK ELECTRICFISH HARDRAIN Hermes HOPLIGHT Joanap KEYMARBLE Kimsuky MimiKatz MyDoom NACHOCHEESE NavRAT PowerRatankba RokRAT Sierra(Alfa,Bravo, ...) Volgmer WannaCryptor
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:8992509, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045d}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045D): MAR-10271944-1.v1 - North Korean Trojan: HOTCROISSANT
HOTCROISSANT
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:e48897a, author = {US-CERT}, title = {{Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045b}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20–045B): MAR-10265965-2.v1 - North Korean Trojan: SLICKSHOES
SLICKSHOES
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:43ff8f0, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045e}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045E): MAR-10271944-2.v1 - North Korean Trojan: ARTFULPIE
ARTFULPIE
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:fd008a7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045g}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045G): MAR-10135536-8.v4 - North Korean Trojan: HOPLIGHT
HOPLIGHT
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:cdab5b7, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045a}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045A): MAR-10265965-1.v1 - North Korean Trojan: BISTROMATH
BISTROMATH
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:315814d, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045C)}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045c}, language = {English}, urldate = {2020-02-14} } Malware Analysis Report (AR20-045C)
CHEESETRAY
2020-02-14US-CERTUS-CERT
@online{uscert:20200214:malware:de7cafb, author = {US-CERT}, title = {{Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE}}, date = {2020-02-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar20-045f}, language = {English}, urldate = {2020-02-27} } Malware Analysis Report (AR20-045F): MAR-10271944-3.v1 - North Korean Trojan: BUFFETLINE
BUFFETLINE
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-02-10MalwarebytesAdam Kujawa, Wendy Zamora, Jérôme Segura, Thomas Reed, Nathan Collier, Jovi Umawing, Chris Boyd, Pieter Arntz, David Ruiz
@techreport{kujawa:20200210:2020:3fdaf12, author = {Adam Kujawa and Wendy Zamora and Jérôme Segura and Thomas Reed and Nathan Collier and Jovi Umawing and Chris Boyd and Pieter Arntz and David Ruiz}, title = {{2020 State of Malware Report}}, date = {2020-02-10}, institution = {Malwarebytes}, url = {https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf}, language = {English}, urldate = {2020-02-13} } 2020 State of Malware Report
magecart Emotet QakBot REvil Ryuk TrickBot WannaCryptor
2020-02-02Youtube (Ghidra Ninja)Ghidra Ninja
@online{ninja:20200202:reversing:872f4fb, author = {Ghidra Ninja}, title = {{Reversing WannaCry Part 2 - Diving into the malware with #Ghidra}}, date = {2020-02-02}, organization = {Youtube (Ghidra Ninja)}, url = {https://www.youtube.com/watch?v=Q90uZS3taG0}, language = {English}, urldate = {2020-02-09} } Reversing WannaCry Part 2 - Diving into the malware with #Ghidra
WannaCryptor
2020-01-26Brown Farinholt, Mohammad Rezaeirad, Damon McCoy, Kirill Levchenko
@techreport{farinholt:20200126:dark:9c2f434, author = {Brown Farinholt and Mohammad Rezaeirad and Damon McCoy and Kirill Levchenko}, title = {{Dark Matter: Uncovering the DarkComet RAT Ecosystem}}, date = {2020-01-26}, institution = {}, url = {https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf}, language = {English}, urldate = {2020-03-07} } Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet
2020-01-08Kaspersky LabsGReAT
@online{great:20200108:operation:ea445d5, author = {GReAT}, title = {{Operation AppleJeus Sequel}}, date = {2020-01-08}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus-sequel/95596/}, language = {English}, urldate = {2020-01-13} } Operation AppleJeus Sequel
AppleJeus Unidentified macOS 001 (UnionCryptoTrader)
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dcdc02a, author = {SecureWorks}, title = {{BRONZE FLEETWOOD}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-fleetwood}, language = {English}, urldate = {2020-05-23} } BRONZE FLEETWOOD
Binanen Ghost RAT OrcaRAT APT5
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:41a0bc0, author = {SecureWorks}, title = {{BRONZE EDISON}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-edison}, language = {English}, urldate = {2020-05-23} } BRONZE EDISON
Ghost RAT sykipot Maverick Panda Samurai Panda
2020SecureworksSecureWorks
@online{secureworks:2020:copper:e356116, author = {SecureWorks}, title = {{COPPER FIELDSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/copper-fieldstone}, language = {English}, urldate = {2020-05-23} } COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2020-01-01Objective-SeePatrick Wardle
@online{wardle:20200101:mac:1d3cffc, author = {Patrick Wardle}, title = {{The Mac Malware of 2019}}, date = {2020-01-01}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x53.html}, language = {English}, urldate = {2020-07-20} } The Mac Malware of 2019
Gmera Mokes Yort
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:dc58892, author = {SecureWorks}, title = {{BRONZE GLOBE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-globe}, language = {English}, urldate = {2020-05-23} } BRONZE GLOBE
EtumBot Ghost RAT IXESHE
2020SecureworksSecureWorks
@online{secureworks:2020:aluminum:af22ffd, author = {SecureWorks}, title = {{ALUMINUM SARATOGA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/aluminum-saratoga}, language = {English}, urldate = {2020-05-23} } ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:4db27ec, author = {SecureWorks}, title = {{BRONZE UNION}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-union}, language = {English}, urldate = {2020-05-23} } BRONZE UNION
9002 RAT CHINACHOPPER Enfal Ghost RAT HttpBrowser HyperBro owaauth PlugX Poison Ivy ZXShell LuckyMouse
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:b8eb4a4, author = {SecureWorks}, title = {{NICKEL ACADEMY}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-academy}, language = {English}, urldate = {2020-05-23} } NICKEL ACADEMY
Brambul Duuzer HOPLIGHT Joanap Sierra(Alfa,Bravo, ...) Volgmer
2020SecureworksSecureWorks
@online{secureworks:2020:nickel:bd4482a, author = {SecureWorks}, title = {{NICKEL GLADSTONE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/nickel-gladstone}, language = {English}, urldate = {2020-05-23} } NICKEL GLADSTONE
AlphaNC Bankshot Ratankba Lazarus Group
2019-12-17NetlabJinye, GenShen Ye
@online{jinye:20191217:lazarus:f97fffd, author = {Jinye and GenShen Ye}, title = {{Lazarus Group uses Dacls RAT to attack Linux platform}}, date = {2019-12-17}, organization = {Netlab}, url = {https://blog.netlab.360.com/dacls-the-dual-platform-rat/}, language = {Chinese}, urldate = {2020-01-07} } Lazarus Group uses Dacls RAT to attack Linux platform
Dacls Log Collector Dacls
2019-12-12MicrosoftMicrosoft Threat Intelligence Center
@online{center:20191212:gallium:79f6460, author = {Microsoft Threat Intelligence Center}, title = {{GALLIUM: Targeting global telecom}}, date = {2019-12-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/}, language = {English}, urldate = {2020-01-07} } GALLIUM: Targeting global telecom
Ghost RAT HTran GALLIUM
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019-12-03Objective-SeeObjective-See
@online{objectivesee:20191203:lazarus:028af2b, author = {Objective-See}, title = {{Lazarus Group Goes 'Fileless'}}, date = {2019-12-03}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x51.html}, language = {English}, urldate = {2020-01-13} } Lazarus Group Goes 'Fileless'
Unidentified macOS 001 (UnionCryptoTrader)
2019-11-21CyberbitHod Gavriel
@online{gavriel:20191121:dtrack:fe6fbbc, author = {Hod Gavriel}, title = {{Dtrack: In-depth analysis of APT on a nuclear power plant}}, date = {2019-11-21}, organization = {Cyberbit}, url = {https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/}, language = {English}, urldate = {2020-08-21} } Dtrack: In-depth analysis of APT on a nuclear power plant
Dtrack
2019-11-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20191104:is:79a8669, author = {Marco Ramilli}, title = {{Is Lazarus/APT38 Targeting Critical Infrastructures?}}, date = {2019-11-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/}, language = {English}, urldate = {2020-01-07} } Is Lazarus/APT38 Targeting Critical Infrastructures?
Dtrack
2019-11-04TencentTencent Security Mikan TIC
@online{tic:20191104:attack:33a29db, author = {Tencent Security Mikan TIC}, title = {{APT attack group "Higaisa" attack activity disclosed}}, date = {2019-11-04}, organization = {Tencent}, url = {https://s.tencent.com/research/report/836.html}, language = {Chinese}, urldate = {2020-05-13} } APT attack group "Higaisa" attack activity disclosed
Ghost RAT Higaisa
2019-11-03Github (jeFF0Falltrades)Jeff Archer
@online{archer:20191103:dtrack:de46ce3, author = {Jeff Archer}, title = {{DTrack}}, date = {2019-11-03}, organization = {Github (jeFF0Falltrades)}, url = {https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md}, language = {English}, urldate = {2019-12-18} } DTrack
Dtrack
2019-10-31CISACISA
@online{cisa:20191031:malware:4eccc2d, author = {CISA}, title = {{Malware Analysis Report (AR19-304A)}}, date = {2019-10-31}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-304a}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-304A)
HOPLIGHT
2019-10-17Vitali Kremez
@online{kremez:20191017:lets:d41b75a, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator}}, date = {2019-10-17}, url = {https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html}, language = {English}, urldate = {2020-01-08} } Let's Learn: Dissecting Lazarus Windows x86 Loader Involved in Crypto Trading App Distribution: "snowman" & ADVObfuscator
AppleJeus
2019-10-12Objective-SeePatrick Wardle
@online{wardle:20191012:pass:9a75bd6, author = {Patrick Wardle}, title = {{Pass the AppleJeus}}, date = {2019-10-12}, organization = {Objective-See}, url = {https://objective-see.com/blog/blog_0x49.html}, language = {English}, urldate = {2020-01-13} } Pass the AppleJeus
AppleJeus
2019-10-11Twitter (@VK_intel)Vitali Kremez
@online{kremez:20191011:possible:3be065d, author = {Vitali Kremez}, title = {{Possible Lazarus x86 Malware (AppleJeus)}}, date = {2019-10-11}, organization = {Twitter (@VK_intel)}, url = {https://twitter.com/VK_Intel/status/1182730637016481793}, language = {English}, urldate = {2019-11-23} } Possible Lazarus x86 Malware (AppleJeus)
AppleJeus
2019-09-23Kaspersky LabsKonstantin Zykov
@online{zykov:20190923:hello:a1e9360, author = {Konstantin Zykov}, title = {{Hello! My name is Dtrack}}, date = {2019-09-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/my-name-is-dtrack/93338/}, language = {English}, urldate = {2020-01-13} } Hello! My name is Dtrack
Dtrack
2019-09-17TalosChristopher Evans, David Liebenberg
@online{evans:20190917:cryptocurrency:8f3a9e9, author = {Christopher Evans and David Liebenberg}, title = {{Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”}}, date = {2019-09-17}, organization = {Talos}, url = {https://blog.talosintelligence.com/2019/09/panda-evolution.html}, language = {English}, urldate = {2019-10-31} } Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”
Ghost RAT
2019-09-09CISACISA
@online{cisa:20190909:malware:f266520, author = {CISA}, title = {{Malware Analysis Report (AR19-252A)}}, date = {2019-09-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/ar19-252a}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR19-252A)
BADCALL BADCALL
2019-08-11Twitter (@KevinPerlow)Kevin Perlow
@online{perlow:20190811:updated:b23bfc9, author = {Kevin Perlow}, title = {{Updated #Lazarus Keylogger (uploaded June)}}, date = {2019-08-11}, organization = {Twitter (@KevinPerlow)}, url = {https://twitter.com/KevinPerlow/status/1160766519615381504}, language = {English}, urldate = {2019-11-26} } Updated #Lazarus Keylogger (uploaded June)
Unidentified 063 (Lazarus Keylogger)
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy Microcin
2019-07-28Dissecting MalwareMarius Genheimer
@online{genheimer:20190728:third:ede6ba2, author = {Marius Genheimer}, title = {{Third time's the charm? Analysing WannaCry samples}}, date = {2019-07-28}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html}, language = {English}, urldate = {2020-03-27} } Third time's the charm? Analysing WannaCry samples
WannaCryptor
2019-07-11NTT SecurityNTT Security
@online{security:20190711:targeted:a48e692, author = {NTT Security}, title = {{Targeted TrickBot activity drops 'PowerBrace' backdoor}}, date = {2019-07-11}, organization = {NTT Security}, url = {https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor}, language = {English}, urldate = {2019-12-18} } Targeted TrickBot activity drops 'PowerBrace' backdoor
PowerBrace TrickBot
2019-05-30Talos IntelligenceVanja Svajcer
@online{svajcer:20190530:10:82553e1, author = {Vanja Svajcer}, title = {{10 years of virtual dynamite: A high-level retrospective of ATM malware}}, date = {2019-05-30}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html}, language = {English}, urldate = {2019-11-24} } 10 years of virtual dynamite: A high-level retrospective of ATM malware
FastCash Project Alice Cutlet Ploutus ATM Skimer Tyupkin
2019-05-09CISACISA
@online{cisa:20190509:malware:0fa3b40, author = {CISA}, title = {{Malware Analysis Report (AR19-129A)}}, date = {2019-05-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-129A}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (AR19-129A)
ELECTRICFISH Lazarus Group
2019-04-24SpecterOpsRichie Cyrus
@online{cyrus:20190424:introducing:f1d4536, author = {Richie Cyrus}, title = {{Introducing Venator: A macOS tool for proactive detection}}, date = {2019-04-24}, organization = {SpecterOps}, url = {https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56}, language = {English}, urldate = {2020-01-07} } Introducing Venator: A macOS tool for proactive detection
AppleJeus WindTail
2019-04-11Computing.co.ukDev Kundaliya
@online{kundaliya:20190411:lazarus:2ad8687, author = {Dev Kundaliya}, title = {{Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea}}, date = {2019-04-11}, organization = {Computing.co.uk}, url = {https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea}, language = {English}, urldate = {2020-01-06} } Lazarus rises: Warning over new HOPLIGHT malware linked with North Korea
HOPLIGHT
2019-04-10US-CERTUS-CERT
@online{uscert:20190410:malware:4946afa, author = {US-CERT}, title = {{Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT}}, date = {2019-04-10}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR19-100A}, language = {English}, urldate = {2020-01-09} } Malware Analysis Report (AR19-100A): North Korean Trojan: HOPLIGHT
HOPLIGHT
2019-04-10The RegisterShaun Nichols
@online{nichols:20190410:lazarus:33958ca, author = {Shaun Nichols}, title = {{Lazarus Group rises again from the digital grave with Hoplight malware for all}}, date = {2019-04-10}, organization = {The Register}, url = {https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/}, language = {English}, urldate = {2019-12-24} } Lazarus Group rises again from the digital grave with Hoplight malware for all
Lazarus Group
2019-04-10One Night in NorfolkNorfolk
@online{norfolk:20190410:osint:7dfb7d1, author = {Norfolk}, title = {{OSINT Reporting Regarding DPRK and TA505 Overlap}}, date = {2019-04-10}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/}, language = {English}, urldate = {2020-01-06} } OSINT Reporting Regarding DPRK and TA505 Overlap
PowerBrace
2019-03-27SymantecCritical Attack Discovery and Intelligence Team
@online{team:20190327:elfin:d90a330, author = {Critical Attack Discovery and Intelligence Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-04-21} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33
2019-03-27SymantecSecurity Response Attack Investigation Team
@online{team:20190327:elfin:836cc39, author = {Security Response Attack Investigation Team}, title = {{Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.}}, date = {2019-03-27}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage}, language = {English}, urldate = {2020-01-06} } Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33
2019-03-26Kaspersky LabsGReAT
@online{great:20190326:cryptocurrency:c95b701, author = {GReAT}, title = {{Cryptocurrency businesses still being targeted by Lazarus}}, date = {2019-03-26}, organization = {Kaspersky Labs}, url = {https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/}, language = {English}, urldate = {2019-12-20} } Cryptocurrency businesses still being targeted by Lazarus
Yort Lazarus Group
2019-03-20Github (649)@037
@online{037:20190320:apt38:4c7f1d4, author = {@037}, title = {{APT38 DYEPACK FRAMEWORK}}, date = {2019-03-20}, organization = {Github (649)}, url = {https://github.com/649/APT38-DYEPACK}, language = {English}, urldate = {2019-12-17} } APT38 DYEPACK FRAMEWORK
DYEPACK
2019-03-12MalwarebytesWilliam Tsing
@online{tsing:20190312:advanced:e68d915, author = {William Tsing}, title = {{The Advanced Persistent Threat files: Lazarus Group}}, date = {2019-03-12}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/}, language = {English}, urldate = {2019-12-20} } The Advanced Persistent Threat files: Lazarus Group
Lazarus Group
2019-02-27SecureworksCTU Research Team
@online{team:20190227:peek:16c9160, author = {CTU Research Team}, title = {{A Peek into BRONZE UNION’s Toolbox}}, date = {2019-02-27}, organization = {Secureworks}, url = {https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox}, language = {English}, urldate = {2020-01-07} } A Peek into BRONZE UNION’s Toolbox
Ghost RAT HyperBro ZXShell
2019-02-19Check Point ResearchCheck Point
@online{point:20190219:north:2d1cfbe, author = {Check Point}, title = {{North Korea Turns Against New Targets?!}}, date = {2019-02-19}, organization = {Check Point Research}, url = {https://research.checkpoint.com/north-korea-turns-against-russian-targets/}, language = {English}, urldate = {2019-10-21} } North Korea Turns Against New Targets?!
KEYMARBLE
2019-01-23NSHC RedAlert LabsThreatRecon Team
@online{team:20190123:sectora01:963118e, author = {ThreatRecon Team}, title = {{SectorA01 Custom Proxy Utility Tool Analysis}}, date = {2019-01-23}, organization = {NSHC RedAlert Labs}, url = {https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/}, language = {English}, urldate = {2019-10-18} } SectorA01 Custom Proxy Utility Tool Analysis
FastCash
2019-01-22One Night in NorfolkNorfolk
@online{norfolk:20190122:lazarus:74b5983, author = {Norfolk}, title = {{A Lazarus Keylogger- PSLogger}}, date = {2019-01-22}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/}, language = {English}, urldate = {2020-01-10} } A Lazarus Keylogger- PSLogger
PSLogger
2019-01-16ZDNetCatalin Cimpanu
@online{cimpanu:20190116:north:8f56bd0, author = {Catalin Cimpanu}, title = {{North Korean hackers infiltrate Chile's ATM network after Skype job interview}}, date = {2019-01-16}, organization = {ZDNet}, url = {https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/}, language = {English}, urldate = {2020-01-10} } North Korean hackers infiltrate Chile's ATM network after Skype job interview
Lazarus Group
2019-01-15FlashpointVitali Kremez
@online{kremez:20190115:disclosure:0e74c4e, author = {Vitali Kremez}, title = {{Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties}}, date = {2019-01-15}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/}, language = {English}, urldate = {2019-08-08} } Disclosure of Chilean Redbanc Intrusion Leads to Lazarus Ties
PowerRatankba
2019-01-07IntezerIgnacio Sanmillan
@online{sanmillan:20190107:chinaz:50bb5f4, author = {Ignacio Sanmillan}, title = {{ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups}}, date = {2019-01-07}, organization = {Intezer}, url = {https://www.intezer.com/blog-chinaz-relations/}, language = {English}, urldate = {2019-11-27} } ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups
Ghost RAT
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:operation:207fc18, author = {Cyber Operations Tracker}, title = {{Operation GhostSecret}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret}, language = {English}, urldate = {2019-12-20} } Operation GhostSecret
Lazarus Group
2019MITREMITRE ATT&CK
@online{attck:2019:lazarus:a298c2f, author = {MITRE ATT&CK}, title = {{Group description: Lazarus Group}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0032/}, language = {English}, urldate = {2019-12-20} } Group description: Lazarus Group
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:compromise:31bbbf4, author = {Cyber Operations Tracker}, title = {{Compromise of cryptocurrency exchanges in South Korea}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea}, language = {English}, urldate = {2019-12-20} } Compromise of cryptocurrency exchanges in South Korea
Lazarus Group
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:lazarus:f46916d, author = {Cyber Operations Tracker}, title = {{Lazarus Group}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/lazarus-group}, language = {English}, urldate = {2019-12-20} } Lazarus Group
Lazarus Group
2019CISACISA
@online{cisa:2019:hidden:52ee565, author = {CISA}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2019}, organization = {CISA}, url = {https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity}, language = {English}, urldate = {2020-01-07} } HIDDEN COBRA - North Korean Malicious Cyber Activity
Lazarus Group
2018-12-31Github RepositoryFrank Boldewin
@online{boldewin:20181231:fastcashmalwaredissected:d72e332, author = {Frank Boldewin}, title = {{FastCashMalwareDissected}}, date = {2018-12-31}, organization = {Github Repository}, url = {https://github.com/fboldewin/FastCashMalwareDissected/}, language = {English}, urldate = {2019-07-10} } FastCashMalwareDissected
FastCash
2018-12-12McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20181212:operation:df0b2d2, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure}}, date = {2018-12-12}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/}, language = {English}, urldate = {2020-01-13} } ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure
Rising Sun Lazarus Group Operation Sharpshooter
2018-11-20Trend MicroLenart Bermejo, Joelson Soares
@online{bermejo:20181120:lazarus:1d8d3b3, author = {Lenart Bermejo and Joelson Soares}, title = {{Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America}}, date = {2018-11-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America
BLINDTOAD
2018-11-08SymantecSecurity Response Attack Investigation Team
@online{team:20181108:fastcash:ee26edb, author = {Security Response Attack Investigation Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2019-11-28} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
Lazarus Group
2018-11-08SymantecCritical Attack Discovery and Intelligence Team
@online{team:20181108:fastcash:acf8e38, author = {Critical Attack Discovery and Intelligence Team}, title = {{FASTCash: How the Lazarus Group is Emptying Millions from ATMs}}, date = {2018-11-08}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware}, language = {English}, urldate = {2020-04-21} } FASTCash: How the Lazarus Group is Emptying Millions from ATMs
FastCash Lazarus Group
2018-10-08Youtube VideoSaher Naumaan
@online{naumaan:20181008:bsides:26586e2, author = {Saher Naumaan}, title = {{BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks}}, date = {2018-10-08}, organization = {Youtube Video}, url = {https://youtu.be/_kzFNQySEMw?t=789}, language = {English}, urldate = {2019-10-15} } BSides Belfast 2018: Lazarus On The Rise: Insights From SWIFT Bank Attacks
NESTEGG
2018-10-03Virus BulletinPeter Kálnai, Michal Poslušný
@techreport{klnai:20181003:lazarus:bebf0ad, author = {Peter Kálnai and Michal Poslušný}, title = {{LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES}}, date = {2018-10-03}, institution = {Virus Bulletin}, url = {https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf}, language = {English}, urldate = {2020-01-06} } LAZARUS GROUP: A MAHJONG GAME PLAYED WITH DIFFERENT SETS OF TILES
HOTWAX
2018-10-02US-CERTUS-CERT
@online{uscert:20181002:alert:c29ba37, author = {US-CERT}, title = {{Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign}}, date = {2018-10-02}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-275A}, language = {English}, urldate = {2020-01-13} } Alert (TA18-275A) HIDDEN COBRA: FASTCash Campaign
FastCash
2018-10-01Youtube (FireEye Inc.)Christopher DiGiamo, Nalani Fraser, Jacqueline O’Leary
@online{digiamo:20181001:cds:a580f8f, author = {Christopher DiGiamo and Nalani Fraser and Jacqueline O’Leary}, title = {{CDS 2018 | Unmasking APT X}}, date = {2018-10-01}, organization = {Youtube (FireEye Inc.)}, url = {https://youtu.be/8hJyLkLHH8Q?t=1208}, language = {English}, urldate = {2020-01-06} } CDS 2018 | Unmasking APT X
NESTEGG
2018-09-19Möbius Strip Reverse EngineeringRolf Rolles
@online{rolles:20180919:hexrays:1afcc0c, author = {Rolf Rolles}, title = {{Hex-Rays Microcode API vs. Obfuscating Compiler}}, date = {2018-09-19}, organization = {Möbius Strip Reverse Engineering}, url = {http://www.hexblog.com/?p=1248}, language = {English}, urldate = {2019-10-28} } Hex-Rays Microcode API vs. Obfuscating Compiler
Ghost RAT
2018-09-06Department of JusticeOffice of Public Affairs
@online{affairs:20180906:north:9b30dd0, author = {Office of Public Affairs}, title = {{North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions}}, date = {2018-09-06}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and}, language = {English}, urldate = {2020-01-07} } North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
Lazarus Group
2018-08-27DARKReadingJai Vijayan
@online{vijayan:20180827:north:97ee4d4, author = {Jai Vijayan}, title = {{North Korean Hacking Group Steals $13.5 Million From Indian Bank}}, date = {2018-08-27}, organization = {DARKReading}, url = {https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678}, language = {English}, urldate = {2020-01-13} } North Korean Hacking Group Steals $13.5 Million From Indian Bank
Lazarus Group
2018-08-23Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180823:lazarus:e929232, author = {Catalin Cimpanu}, title = {{Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack}}, date = {2018-08-23}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/}, language = {English}, urldate = {2019-12-20} } Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack
Lazarus Group
2018-08-23Kaspersky LabsGReAT
@online{great:20180823:operation:c1011d3, author = {GReAT}, title = {{Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware}}, date = {2018-08-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-applejeus/87553/}, language = {English}, urldate = {2019-12-20} } Operation AppleJeus: Lazarus hits cryptocurrency exchange with fake installer and macOS malware
AppleJeus Volgmer Lazarus Group
2018-08-09CISACISA
@online{cisa:20180809:malware:71c0559, author = {CISA}, title = {{Malware Analysis Report (AR18-221A)}}, date = {2018-08-09}, organization = {CISA}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-221A}, language = {English}, urldate = {2020-01-07} } Malware Analysis Report (AR18-221A)
KEYMARBLE
2018-07-30ProofpointProofpoint Staff
@online{staff:20180730:new:07c5e76, author = {Proofpoint Staff}, title = {{New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign}}, date = {2018-07-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside}, language = {English}, urldate = {2019-12-20} } New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign
Azorult Hermes Hermes Ransomware
2018-06-23AhnLabAhnLab
@techreport{ahnlab:20180623:full:dced6a4, author = {AhnLab}, title = {{Full Discloser of Andariel, A Subgroup of Lazarus Threat Group}}, date = {2018-06-23}, institution = {AhnLab}, url = {https://global.ahnlab.com/global/upload/download/techreport/[AhnLab]Andariel_a_Subgroup_of_Lazarus%20(3).pdf}, language = {English}, urldate = {2019-12-24} } Full Discloser of Andariel, A Subgroup of Lazarus Threat Group
PhanDoor Rifdoor
2018-06-13ThreatpostTara Seals
@online{seals:20180613:banco:4861a7b, author = {Tara Seals}, title = {{Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist}}, date = {2018-06-13}, organization = {Threatpost}, url = {https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/}, language = {English}, urldate = {2020-01-13} } Banco de Chile Wiper Attack Just a Cover for $10M SWIFT Heist
Lazarus Group
2018-06-13AcalvioTeam Acalvio
@online{acalvio:20180613:lateral:ab17115, author = {Team Acalvio}, title = {{Lateral Movement Technique Employed by Hidden Cobra}}, date = {2018-06-13}, organization = {Acalvio}, url = {https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/}, language = {English}, urldate = {2020-01-13} } Lateral Movement Technique Employed by Hidden Cobra
Brambul Joanap
2018-06-08United States District Court (California)Nathan P. Shields, Rozella A. Oliver
@online{shields:20180608:complaint:8b4b2dc, author = {Nathan P. Shields and Rozella A. Oliver}, title = {{Complaint against Jin Hyok Park}}, date = {2018-06-08}, organization = {United States District Court (California)}, url = {https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html}, language = {English}, urldate = {2020-01-08} } Complaint against Jin Hyok Park
NESTEGG
2018-06-07Trend MicroFernando Mercês
@online{mercs:20180607:new:760f179, author = {Fernando Mercês}, title = {{New KillDisk Variant Hits Latin American Financial Organizations Again}}, date = {2018-06-07}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/}, language = {English}, urldate = {2020-01-09} } New KillDisk Variant Hits Latin American Financial Organizations Again
BOOTWRECK
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:alert:9ab63c1, author = {US-CERT}, title = {{Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA18-149A}, language = {English}, urldate = {2020-01-10} } Alert (TA18-149A): HIDDEN COBRA – Joanap Backdoor Trojan and Brambul Server Message Block Worm
Brambul Joanap
2018-05-29US-CERTUS-CERT
@online{uscert:20180529:mar101355363:6ee74d8, author = {US-CERT}, title = {{MAR-10135536-3 - HIDDEN COBRA RAT/Worm}}, date = {2018-05-29}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/analysis-reports/AR18-149A}, language = {English}, urldate = {2019-10-13} } MAR-10135536-3 - HIDDEN COBRA RAT/Worm
Brambul Joanap
2018-05-29BloombergMichelle Davis
@online{davis:20180529:mexico:d40bc2d, author = {Michelle Davis}, title = {{Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret}}, date = {2018-05-29}, organization = {Bloomberg}, url = {https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret}, language = {English}, urldate = {2020-01-07} } Mexico Foiled a $110 Million Bank Heist, Then Kept It a Secret
Lazarus Group
2018-05-03McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:20180503:dissecting:13102f0, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-05-03}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2020-01-10} } Dissecting Operation Troy: Cyberespionage in South Korea
concealment_troy http_troy Lazarus Group
2018-04-27Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20180427:north:b7ed973, author = {Catalin Cimpanu}, title = {{North Korean Hackers Are up to No Good Again}}, date = {2018-04-27}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/}, language = {English}, urldate = {2019-12-20} } North Korean Hackers Are up to No Good Again
Lazarus Group
2018-04-24McAfeeRyan Sherstobitoff, Asheer Malhotra
@online{sherstobitoff:20180424:analyzing:9aac21f, author = {Ryan Sherstobitoff and Asheer Malhotra}, title = {{Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide}}, date = {2018-04-24}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/}, language = {English}, urldate = {2020-01-10} } Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide
Lazarus Group
2018-04-17NCC GroupNikolaos Pantazopoulos
@online{pantazopoulos:20180417:decoding:7d5f713, author = {Nikolaos Pantazopoulos}, title = {{Decoding network data from a Gh0st RAT variant}}, date = {2018-04-17}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/}, language = {English}, urldate = {2019-11-27} } Decoding network data from a Gh0st RAT variant
Ghost RAT LuckyMouse
2018-04-03ESET ResearchPeter Kálnai, Anton Cherepanov
@online{klnai:20180403:lazarus:14ff18c, author = {Peter Kálnai and Anton Cherepanov}, title = {{Lazarus KillDisks Central American casino}}, date = {2018-04-03}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/}, language = {English}, urldate = {2019-11-14} } Lazarus KillDisks Central American casino
KillDisk Lazarus Group
2018-03-28IntezerJay Rosenberg
@online{rosenberg:20180328:lazarus:307e39e, author = {Jay Rosenberg}, title = {{Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies}}, date = {2018-03-28}, organization = {Intezer}, url = {http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/}, language = {English}, urldate = {2019-11-27} } Lazarus Group Targets More Cryptocurrency Exchanges and FinTech Companies
Unidentified 042
2018-03-08McAfeeRyan Sherstobitoff, Asheer Malhotra, Charles Crawford, Jessica Saavedra-Morales
@online{sherstobitoff:20180308:hidden:c1459ef, author = {Ryan Sherstobitoff and Asheer Malhotra and Charles Crawford and Jessica Saavedra-Morales}, title = {{Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant}}, date = {2018-03-08}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/}, language = {English}, urldate = {2019-10-14} } Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant
Lazarus Group
2018-03Kaspersky LabsKaspersky Lab
@techreport{lab:201803:lazarus:3fd5ac4, author = {Kaspersky Lab}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf}, language = {English}, urldate = {2020-01-07} } Lazarus under the Hood
HOTWAX REDSHAWL WORMHOLE
2018-03Kaspersky LabsKaspersky Lab Global Research, Analysis Team
@techreport{research:201803:lazarus:9dd4571, author = {Kaspersky Lab Global Research and Analysis Team}, title = {{Lazarus under the Hood}}, date = {2018-03}, institution = {Kaspersky Labs}, url = {https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf}, language = {English}, urldate = {2019-11-28} } Lazarus under the Hood
NESTEGG
2018-02-05US-CERTUnknown Unknown
@techreport{unknown:20180205:hidden:3e1e07e, author = {Unknown Unknown}, title = {{HIDDEN COBRA - North Korean Malicious Cyber Activity}}, date = {2018-02-05}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf}, language = {English}, urldate = {2019-12-20} } HIDDEN COBRA - North Korean Malicious Cyber Activity
HARDRAIN HARDRAIN
2018-02-01BitdefenderBitdefender Team
@online{team:20180201:operation:e76f179, author = {Bitdefender Team}, title = {{Operation PZCHAO: Inside a highly specialized espionage infrastructure}}, date = {2018-02-01}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/}, language = {English}, urldate = {2020-05-18} } Operation PZCHAO: Inside a highly specialized espionage infrastructure
Ghost RAT Emissary Panda
2018-01-29ProofpointDarien Huss
@techreport{huss:20180129:north:438b45d, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2018-01-29}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf}, language = {English}, urldate = {2020-01-05} } North Korea Bitten by Bitcoin Bug
Bitsran
2018-01-24Trend MicroCH Lei, Fyodor Yarochkin, Lenart Bermejo, Philippe Z Lin, Razor Huang
@online{lei:20180124:lazarus:63d2701, author = {CH Lei and Fyodor Yarochkin and Lenart Bermejo and Philippe Z Lin and Razor Huang}, title = {{Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/}, language = {English}, urldate = {2020-01-08} } Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More
PowerRatankba
2018-01-24Trend MicroTrendmicro
@online{trendmicro:20180124:look:fa400c7, author = {Trendmicro}, title = {{A Look into the Lazarus Group’s Operations}}, date = {2018-01-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations}, language = {English}, urldate = {2019-12-04} } A Look into the Lazarus Group’s Operations
Lazarus Group
2018-01-15Trend MicroGilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira
@online{sison:20180115:new:15ece8f, author = {Gilbert Sison and Rheniel Ramos and Jay Yaneza and Alfredo Oliveira}, title = {{New KillDisk Variant Hits Financial Organizations in Latin America}}, date = {2018-01-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/}, language = {English}, urldate = {2020-01-06} } New KillDisk Variant Hits Financial Organizations in Latin America
KillDisk Lazarus Group
2018-01-04Malware Traffic AnalysisBrad Duncan
@online{duncan:20180104:malspam:ce2dfac, author = {Brad Duncan}, title = {{MALSPAM PUSHING PCRAT/GH0ST}}, date = {2018-01-04}, organization = {Malware Traffic Analysis}, url = {http://www.malware-traffic-analysis.net/2018/01/04/index.html}, language = {English}, urldate = {2019-12-24} } MALSPAM PUSHING PCRAT/GH0ST
Ghost RAT
2018FireEyeFireEye
@online{fireeye:2018:apt38:20161b7, author = {FireEye}, title = {{APT38}}, date = {2018}, organization = {FireEye}, url = {https://content.fireeye.com/apt/rpt-apt38}, language = {English}, urldate = {2020-01-13} } APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group
2018FireEyeFireEye
@techreport{fireeye:2018:apt38:c81b87d, author = {FireEye}, title = {{APT38}}, date = {2018}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf}, language = {English}, urldate = {2020-01-07} } APT38
CHEESETRAY CLEANTOAD NACHOCHEESE
2018-01-01McAfeeRyan Sherstobitoff, Itai Liba, James Walter
@techreport{sherstobitoff:20180101:dissecting:73712a7, author = {Ryan Sherstobitoff and Itai Liba and James Walter}, title = {{Dissecting Operation Troy: Cyberespionage in South Korea}}, date = {2018-01-01}, institution = {McAfee}, url = {http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf}, language = {English}, urldate = {2019-10-15} } Dissecting Operation Troy: Cyberespionage in South Korea
Lazarus Group
2017-12-20RiskIQYonathan Klijnsma
@online{klijnsma:20171220:mining:4b3dc11, author = {Yonathan Klijnsma}, title = {{Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry}}, date = {2017-12-20}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/}, language = {English}, urldate = {2020-01-13} } Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry
PowerRatankba
2017-12-19ProofpointDarien Huss
@online{huss:20171219:north:e5ef6da, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group}}, date = {2017-12-19}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new}, language = {English}, urldate = {2019-12-20} } North Korea Bitten by Bitcoin Bug: Financially motivated campaigns reveal new dimension of the Lazarus Group
Ghost RAT
2017-12-19ProofpointDarien Huss
@techreport{huss:20171219:north:b2da03e, author = {Darien Huss}, title = {{North Korea Bitten by Bitcoin Bug}}, date = {2017-12-19}, institution = {Proofpoint}, url = {https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf}, language = {English}, urldate = {2019-10-18} } North Korea Bitten by Bitcoin Bug
QUICKCAFE PowerSpritz Ghost RAT PowerRatankba
2017-12-13US-CERTUS-CERT
@techreport{uscert:20171213:malware:89db625, author = {US-CERT}, title = {{Malware Analysis Report (MAR) - 10135536-B}}, date = {2017-12-13}, institution = {US-CERT}, url = {https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF}, language = {English}, urldate = {2020-01-08} } Malware Analysis Report (MAR) - 10135536-B
Bankshot
2017-11-20Palo Alto Networks Unit 42Anthony Kasza, Juan Cortes, Micah Yates
@online{kasza:20171120:operation:0bc8efe, author = {Anthony Kasza and Juan Cortes and Micah Yates}, title = {{Operation Blockbuster Goes Mobile}}, date = {2017-11-20}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/}, language = {English}, urldate = {2019-12-24} } Operation Blockbuster Goes Mobile
HARDRAIN
2017-11-20McAfeeInhee Han
@online{han:20171120:android:c3f825c, author = {Inhee Han}, title = {{Android Malware Appears Linked to Lazarus Cybercrime Group}}, date = {2017-11-20}, organization = {McAfee}, url = {https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990}, language = {English}, urldate = {2019-12-17} } Android Malware Appears Linked to Lazarus Cybercrime Group
HARDRAIN
2017-11-14Department of Homeland SecurityDepartment of Homeland Security
@online{security:20171114:hidden:a45c30a, author = {Department of Homeland Security}, title = {{HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL}}, date = {2017-11-14}, organization = {Department of Homeland Security}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318A}, language = {English}, urldate = {2019-11-28} } HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL
Lazarus Group
2017-11-14US-CERTUS-CERT
@online{uscert:20171114:alert:4bf4ff5, author = {US-CERT}, title = {{Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer}}, date = {2017-11-14}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-318B}, language = {English}, urldate = {2020-01-08} } Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer
Volgmer Lazarus Group
2017-10-27Independent.co.ukAdam Withnall
@online{withnall:20171027:british:18c1e9a, author = {Adam Withnall}, title = {{British security minister says North Korea was behind WannaCry hack on NHS}}, date = {2017-10-27}, organization = {Independent.co.uk}, url = {http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html}, language = {English}, urldate = {2020-01-07} } British security minister says North Korea was behind WannaCry hack on NHS
WannaCryptor
2017-10-16Sergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong
@online{shevchenko:20171016:taiwan:081b125, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, url = {http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-07} } Taiwan Heist: Lazarus Tools and Ransomware
Bitsran Hermes
2017-10-16BAE SystemsSergei Shevchenko, Hirman Muhammad bin Abu Bakar, James Wong
@online{shevchenko:20171016:taiwan:cb91378, author = {Sergei Shevchenko and Hirman Muhammad bin Abu Bakar and James Wong}, title = {{Taiwan Heist: Lazarus Tools and Ransomware}}, date = {2017-10-16}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html}, language = {English}, urldate = {2020-01-06} } Taiwan Heist: Lazarus Tools and Ransomware
BLINDTOAD Lazarus Group
2017-08-14Palo Alto Networks Unit 42Anthony Kasza
@online{kasza:20170814:blockbuster:79266d5, author = {Anthony Kasza}, title = {{The Blockbuster Saga Continues}}, date = {2017-08-14}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/}, language = {English}, urldate = {2019-12-20} } The Blockbuster Saga Continues
HOPLIGHT
2017-06-13US-CERTUS-CERT
@online{uscert:20170613:hidden:4f15d2c, author = {US-CERT}, title = {{HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure}}, date = {2017-06-13}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-164A}, language = {English}, urldate = {2020-01-06} } HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
Lazarus Group
2017-05-25FlashpointFlashpoint
@online{flashpoint:20170525:linguistic:70ffc44, author = {Flashpoint}, title = {{Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors}}, date = {2017-05-25}, organization = {Flashpoint}, url = {https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/}, language = {English}, urldate = {2019-12-10} } Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors
WannaCryptor
2017-05-25SymantecSecurity Response
@online{response:20170525:lazarus:4d00eab, author = {Security Response}, title = {{Lazarus: History of mysterious group behind infamous cyber attacks}}, date = {2017-05-25}, organization = {Symantec}, url = {https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c}, language = {English}, urldate = {2020-01-08} } Lazarus: History of mysterious group behind infamous cyber attacks
Lazarus Group
2017-05-22SymantecSymantec Security Response
@online{response:20170522:wannacry:f66a95e, author = {Symantec Security Response}, title = {{WannaCry: Ransomware attacks show strong links to Lazarus group}}, date = {2017-05-22}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group}, language = {English}, urldate = {2020-01-06} } WannaCry: Ransomware attacks show strong links to Lazarus group
AlphaNC BravoNC Duuzer Sierra(Alfa,Bravo, ...) WannaCryptor
2017-05-19ComaeMatt Suiche
@online{suiche:20170519:wannacry:81703ac, author = {Matt Suiche}, title = {{WannaCry — Decrypting files with WanaKiwi + Demos}}, date = {2017-05-19}, organization = {Comae}, url = {https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d}, language = {English}, urldate = {2019-10-25} } WannaCry — Decrypting files with WanaKiwi + Demos
WannaCryptor
2017-05-19MalwarebytesAdam McNeil
@online{mcneil:20170519:how:fac33a7, author = {Adam McNeil}, title = {{How did the WannaCry ransomworm spread?}}, date = {2017-05-19}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/}, language = {English}, urldate = {2019-12-20} } How did the WannaCry ransomworm spread?
WannaCryptor
2017-05-16Sergei Shevchenko, Adrian Nish
@online{shevchenko:20170516:wannacryptor:8bc9235, author = {Sergei Shevchenko and Adrian Nish}, title = {{Wannacryptor Ransomworm}}, date = {2017-05-16}, url = {https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html}, language = {English}, urldate = {2020-01-07} } Wannacryptor Ransomworm
WannaCryptor
2017-05-14ComaeMatt Suiche
@online{suiche:20170514:wannacry:b2c62ca, author = {Matt Suiche}, title = {{WannaCry — New Variants Detected!}}, date = {2017-05-14}, organization = {Comae}, url = {https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e}, language = {English}, urldate = {2020-01-08} } WannaCry — New Variants Detected!
WannaCryptor
2017-05-13MalwareTechMalwareTech
@online{malwaretech:20170513:how:1036ae2, author = {MalwareTech}, title = {{How to Accidentally Stop a Global Cyber Attacks}}, date = {2017-05-13}, organization = {MalwareTech}, url = {https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html}, language = {English}, urldate = {2019-11-25} } How to Accidentally Stop a Global Cyber Attacks
WannaCryptor
2017-05-12Kaspersky LabsGReAT
@online{great:20170512:wannacry:b24b188, author = {GReAT}, title = {{WannaCry ransomware used in widespread attacks all over the world}}, date = {2017-05-12}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/}, language = {English}, urldate = {2019-12-20} } WannaCry ransomware used in widespread attacks all over the world
WannaCryptor
2017-05-12EmsisoftHolger Keller
@online{keller:20170512:global:2ee68f6, author = {Holger Keller}, title = {{Global WannaCry ransomware outbreak uses known NSA exploits}}, date = {2017-05-12}, organization = {Emsisoft}, url = {http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/}, language = {English}, urldate = {2019-12-10} } Global WannaCry ransomware outbreak uses known NSA exploits
WannaCryptor
2017-05-12KrebsOnSecurityBrian Krebs
@online{krebs:20170512:uk:11a7e5a, author = {Brian Krebs}, title = {{U.K. Hospitals Hit in Widespread Ransomware Attack}}, date = {2017-05-12}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/}, language = {English}, urldate = {2020-01-06} } U.K. Hospitals Hit in Widespread Ransomware Attack
WannaCryptor
2017-05-12G DataG Data
@online{data:20170512:warning:162cfc4, author = {G Data}, title = {{Warning: Massive "WannaCry" Ransomware campaign launched}}, date = {2017-05-12}, organization = {G Data}, url = {https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign}, language = {English}, urldate = {2020-01-13} } Warning: Massive "WannaCry" Ransomware campaign launched
WannaCryptor
2017-05-12ComaeMatt Suiche
@online{suiche:20170512:wannacry:f79fed5, author = {Matt Suiche}, title = {{WannaCry — The largest ransom-ware infection in History}}, date = {2017-05-12}, organization = {Comae}, url = {https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58}, language = {English}, urldate = {2020-01-06} } WannaCry — The largest ransom-ware infection in History
WannaCryptor
2017-05-12MicrosoftKarthik Selvaraj, Elia Florio, Andrea Lelli, Tanmay Ganacharya
@online{selvaraj:20170512:wannacrypt:9604786, author = {Karthik Selvaraj and Elia Florio and Andrea Lelli and Tanmay Ganacharya}, title = {{WannaCrypt ransomware worm targets out-of-date systems}}, date = {2017-05-12}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/}, language = {English}, urldate = {2020-03-06} } WannaCrypt ransomware worm targets out-of-date systems
WannaCryptor
2017-05-12The Moscow TimesThe Moscow Times
@online{times:20170512:wcry:10ff3fa, author = {The Moscow Times}, title = {{‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network}}, date = {2017-05-12}, organization = {The Moscow Times}, url = {https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984}, language = {English}, urldate = {2019-12-05} } ‘WCry’ Virus Reportedly Infects Russian Interior Ministry's Computer Network
WannaCryptor
2017-05-12AvastJakub Křoustek
@online{koustek:20170512:wannacry:ff9bc08, author = {Jakub Křoustek}, title = {{WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today}}, date = {2017-05-12}, organization = {Avast}, url = {https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today}, language = {English}, urldate = {2020-01-07} } WannaCry ransomware that infected Telefonica and NHS hospitals is spreading aggressively, with over 50,000 attacks so far today
WannaCryptor
2017-04-07Palo Alto Networks Unit 42Anthony Kasza, Micah Yates
@online{kasza:20170407:blockbuster:0e430d3, author = {Anthony Kasza and Micah Yates}, title = {{The Blockbuster Sequel}}, date = {2017-04-07}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/}, language = {English}, urldate = {2019-12-20} } The Blockbuster Sequel
OpBlockBuster
2017-04-04Kaspersky LabsKaspersky Lab
@online{lab:20170404:chasing:b9789da, author = {Kaspersky Lab}, title = {{Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies}}, date = {2017-04-04}, organization = {Kaspersky Labs}, url = {https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies}, language = {English}, urldate = {2019-12-24} } Chasing Lazarus: A Hunt for the Infamous Hackers to Prevent Large Bank Robberies
Lazarus Group
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:033fcf7, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-under-the-hood/77908/}, language = {English}, urldate = {2019-12-20} } Lazarus under the Hood
Lazarus Group
2017-04-03Kaspersky LabsGReAT
@online{great:20170403:lazarus:689432c, author = {GReAT}, title = {{Lazarus under the Hood}}, date = {2017-04-03}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/sas/77908/lazarus-under-the-hood/}, language = {English}, urldate = {2019-12-20} } Lazarus under the Hood
Alreay DYEPACK
2017-04-03ThreatpostMichael Mimoso
@online{mimoso:20170403:lazarus:c824fd6, author = {Michael Mimoso}, title = {{Lazarus APT Spinoff Linked to Banking Hacks}}, date = {2017-04-03}, organization = {Threatpost}, url = {https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/}, language = {English}, urldate = {2020-01-10} } Lazarus APT Spinoff Linked to Banking Hacks
Lazarus Group
2017-02-25Financial Security InstituteKyoung-Ju Kwak (郭炅周)
@techreport{:20170225:silent:5a11e12, author = {Kyoung-Ju Kwak (郭炅周)}, title = {{Silent RIFLE: Response Against Advanced Threat}}, date = {2017-02-25}, institution = {Financial Security Institute}, url = {https://hackcon.org/uploads/327/05%20-%20Kwak.pdf}, language = {English}, urldate = {2020-03-04} } Silent RIFLE: Response Against Advanced Threat
Ghost RAT
2017-02-20BAE SystemsSergei Shevchenko
@online{shevchenko:20170220:lazarus:c608fd5, author = {Sergei Shevchenko}, title = {{Lazarus’ False Flag Malware}}, date = {2017-02-20}, organization = {BAE Systems}, url = {https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html}, language = {English}, urldate = {2019-12-20} } Lazarus’ False Flag Malware
NACHOCHEESE
2017-02-16ESET ResearchPeter Kálnai
@online{klnai:20170216:demystifying:7ae8785, author = {Peter Kálnai}, title = {{Demystifying targeted malware used against Polish banks}}, date = {2017-02-16}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/}, language = {English}, urldate = {2019-11-14} } Demystifying targeted malware used against Polish banks
HOTWAX NACHOCHEESE
2017-02-12SymantecA L Johnson
@online{johnson:20170212:attackers:c338fa3, author = {A L Johnson}, title = {{Attackers target dozens of global banks with new malware}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware}, language = {English}, urldate = {2020-04-21} } Attackers target dozens of global banks with new malware
Joanap Ratankba Sierra(Alfa,Bravo, ...) Lazarus Group
2017-02-12SymantecSymantec Security Response
@online{response:20170212:attackers:2fdd5b5, author = {Symantec Security Response}, title = {{Attackers target dozens of global banks with new}}, date = {2017-02-12}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0}, language = {English}, urldate = {2020-01-08} } Attackers target dozens of global banks with new
Lazarus Group
2017Github (rain-1)rain1, Epivalent
@online{rain1:2017:wannacrywannadecrypt0r:53d1c73, author = {rain1 and Epivalent}, title = {{WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm}}, date = {2017}, organization = {Github (rain-1)}, url = {https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168}, language = {English}, urldate = {2019-11-29} } WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm
WannaCryptor
2016-12-13ESET ResearchAnton Cherepanov
@online{cherepanov:20161213:rise:d6ee3c1, author = {Anton Cherepanov}, title = {{The rise of TeleBots: Analyzing disruptive KillDisk attacks}}, date = {2016-12-13}, organization = {ESET Research}, url = {http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/}, language = {English}, urldate = {2019-12-20} } The rise of TeleBots: Analyzing disruptive KillDisk attacks
Credraptor KillDisk TeleBot TeleBots
2016-06-03FireEyeYin Hong Chang, Sudeep Singh
@online{chang:20160603:sends:176f9ab, author = {Yin Hong Chang and Sudeep Singh}, title = {{APT Group Sends Spear Phishing Emails to Indian Government Officials}}, date = {2016-06-03}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html}, language = {English}, urldate = {2019-12-20} } APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major
2016-05-26SymantecSecurity Response
@online{response:20160526:swift:fe259bf, author = {Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-04-21} } SWIFT attackers’ malware linked to more financial attacks
Contopee Sierra(Alfa,Bravo, ...) Lazarus Group
2016-05-26SymantecSymantec Security Response
@online{response:20160526:swift:a8d8898, author = {Symantec Security Response}, title = {{SWIFT attackers’ malware linked to more financial attacks}}, date = {2016-05-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks}, language = {English}, urldate = {2020-01-07} } SWIFT attackers’ malware linked to more financial attacks
Contopee Lazarus Group
2016-05-20ReutersTom Bergin, Nathan Layne
@online{bergin:20160520:special:46b3cc4, author = {Tom Bergin and Nathan Layne}, title = {{Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network}}, date = {2016-05-20}, organization = {Reuters}, url = {https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD}, language = {English}, urldate = {2019-12-17} } Special Report: Cyber thieves exploit banks' faith in SWIFT transfer network
Lazarus Group
2016-05-16Bankinfo SecurityMathew J. Schwartz
@online{schwartz:20160516:vietnamese:0730aab, author = {Mathew J. Schwartz}, title = {{Vietnamese Bank Blocks $1 Million SWIFT Heist}}, date = {2016-05-16}, organization = {Bankinfo Security}, url = {https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105}, language = {English}, urldate = {2020-01-08} } Vietnamese Bank Blocks $1 Million SWIFT Heist
Lazarus Group
2016-05-15Trend MicroMartin Roesler
@online{roesler:20160515:what:36c2071, author = {Martin Roesler}, title = {{What We Can Learn From the Bangladesh Central Bank Cyber Heist}}, date = {2016-05-15}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/}, language = {English}, urldate = {2020-01-13} } What We Can Learn From the Bangladesh Central Bank Cyber Heist
Lazarus Group
2016-04-22CylanceIsaac Palmer
@online{palmer:20160422:ghost:dda6514, author = {Isaac Palmer}, title = {{The Ghost Dragon}}, date = {2016-04-22}, organization = {Cylance}, url = {https://blog.cylance.com/the-ghost-dragon}, language = {English}, urldate = {2020-01-08} } The Ghost Dragon
Ghost RAT
2016-02-24ThreatpostMichael Mimoso
@online{mimoso:20160224:operation:811ccca, author = {Michael Mimoso}, title = {{Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group}}, date = {2016-02-24}, organization = {Threatpost}, url = {https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/}, language = {English}, urldate = {2020-01-06} } Operation Blockbuster Coalition Ties Destructive Attacks to Lazarus Group
Lazarus Group
2016-02Blue Coat Systems IncSnorre Fagerland
@online{fagerland:201602:from:78bc745, author = {Snorre Fagerland}, title = {{From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover}}, date = {2016-02}, organization = {Blue Coat Systems Inc}, url = {https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4}, language = {English}, urldate = {2020-08-18} } From Seoul to Sony The History of the Darkseoul Group and the Sony Intrusion Malware Destover
Joanap Sierra(Alfa,Bravo, ...)
2016-02NovettaNovetta
@techreport{novetta:201602:operation:c3cadae, author = {Novetta}, title = {{Operation Blockbuster}}, date = {2016-02}, institution = {Novetta}, url = {https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf}, language = {English}, urldate = {2020-01-13} } Operation Blockbuster
Lazarus Group
2015-10-26SymantecA L Johnson
@online{johnson:20151026:duuzer:e87f194, author = {A L Johnson}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments}, language = {English}, urldate = {2020-04-21} } Duuzer back door Trojan targets South Korea to take over computers
Brambul Duuzer Joanap Lazarus Group
2015-10-26SymantecSymantec Security Response
@online{response:20151026:duuzer:49ffa2d, author = {Symantec Security Response}, title = {{Duuzer back door Trojan targets South Korea to take over computers}}, date = {2015-10-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers}, language = {English}, urldate = {2020-01-09} } Duuzer back door Trojan targets South Korea to take over computers
Lazarus Group
2015-09-10FireEyeGenwei Jiang, Josiah Kimble
@techreport{jiang:20150910:hangul:2e0fc13, author = {Genwei Jiang and Josiah Kimble}, title = {{Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors}}, date = {2015-09-10}, institution = {FireEye}, url = {https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf}, language = {English}, urldate = {2020-01-13} } Hangul Word Processor (HWP)Zero-Day: possible ties to North Korean threat actors
HOPLIGHT
2014-12-19US-CERTUS-CERT
@online{uscert:20141219:alert:b74115d, author = {US-CERT}, title = {{Alert (TA14-353A): Targeted Destructive Malware}}, date = {2014-12-19}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA14-353A}, language = {English}, urldate = {2020-03-19} } Alert (TA14-353A): Targeted Destructive Malware
Sierra(Alfa,Bravo, ...)
2014-12-08Trend MicroTrend Micro
@online{micro:20141208:hack:6a3ba20, author = {Trend Micro}, title = {{The Hack of Sony Pictures: What We Know and What You Need to Know}}, date = {2014-12-08}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know}, language = {English}, urldate = {2020-01-08} } The Hack of Sony Pictures: What We Know and What You Need to Know
Lazarus Group
2013-06-26SymantecSymantec Security Response
@online{response:20130626:four:cd9ccb5, author = {Symantec Security Response}, title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}}, date = {2013-06-26}, organization = {Symantec}, url = {https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war}, language = {English}, urldate = {2020-04-21} } Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War
Lazarus Group
2013-06-26SymantecSecurity Response
@online{response:20130626:four:abdfea2, author = {Security Response}, title = {{Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War}}, date = {2013-06-26}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war}, language = {English}, urldate = {2020-01-10} } Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War
Lazarus Group
2013-05-29SymantecLionel Payet
@online{payet:20130529:south:3242988, author = {Lionel Payet}, title = {{South Korean Financial Companies Targeted by Castov}}, date = {2013-05-29}, organization = {Symantec}, url = {https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov}, language = {English}, urldate = {2020-04-21} } South Korean Financial Companies Targeted by Castov
Lazarus Group
2013-05-28SymantecLionel Payet
@online{payet:20130528:south:97facdb, author = {Lionel Payet}, title = {{South Korean Financial Companies Targeted by Castov}}, date = {2013-05-28}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov}, language = {English}, urldate = {2020-01-06} } South Korean Financial Companies Targeted by Castov
Lazarus Group
2013-03-20The New York TimesChoe Sang-Hun
@online{sanghun:20130320:computer:bc0bf29, author = {Choe Sang-Hun}, title = {{Computer Networks in South Korea Are Paralyzed in Cyberattacks}}, date = {2013-03-20}, organization = {The New York Times}, url = {https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html}, language = {English}, urldate = {2020-01-13} } Computer Networks in South Korea Are Paralyzed in Cyberattacks
Lazarus Group
2012-10-05MalwarebytesAdam Kujawa
@online{kujawa:20121005:dark:192d4aa, author = {Adam Kujawa}, title = {{Dark Comet 2: Electric Boogaloo}}, date = {2012-10-05}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/}, language = {English}, urldate = {2019-12-20} } Dark Comet 2: Electric Boogaloo
DarkComet
2012-06-21Contagio DumpMila Parkour
@online{parkour:20120621:rat:2186087, author = {Mila Parkour}, title = {{RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army}}, date = {2012-06-21}, organization = {Contagio Dump}, url = {http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html}, language = {English}, urldate = {2019-12-20} } RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT
2012-06-09MalwarebytesAdam Kujawa
@online{kujawa:20120609:you:c8d15e0, author = {Adam Kujawa}, title = {{You dirty RAT! Part 1: DarkComet}}, date = {2012-06-09}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/}, language = {English}, urldate = {2019-12-20} } You dirty RAT! Part 1: DarkComet
DarkComet
2012Norman ASASnorre Fagerland
@techreport{fagerland:2012:many:c938856, author = {Snorre Fagerland}, title = {{The many faces of Gh0st Rat}}, date = {2012}, institution = {Norman ASA}, url = {http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf}, language = {English}, urldate = {2019-12-20} } The many faces of Gh0st Rat
Ghost RAT
2011-06-29SymantecJohn McDonald
@online{mcdonald:20110629:inside:b955948, author = {John McDonald}, title = {{Inside a Back Door Attack}}, date = {2011-06-29}, organization = {Symantec}, url = {https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack}, language = {English}, urldate = {2020-04-21} } Inside a Back Door Attack
Ghost RAT Dust Storm
2011-03-11SymantecShunichi Imano
@online{imano:20110311:trojankoredos:414e359, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-04-21} } Trojan.Koredos Comes with an Unwelcomed Surprise
Lazarus Group
2011-03-11SymantecShunichi Imano
@online{imano:20110311:trojankoredos:c3aa3c6, author = {Shunichi Imano}, title = {{Trojan.Koredos Comes with an Unwelcomed Surprise}}, date = {2011-03-11}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise}, language = {English}, urldate = {2020-01-10} } Trojan.Koredos Comes with an Unwelcomed Surprise
Lazarus Group
2009-07-08The GuardianMatthew Weaver
@online{weaver:20090708:cyber:8fd12c3, author = {Matthew Weaver}, title = {{Cyber attackers target South Korea and US}}, date = {2009-07-08}, organization = {The Guardian}, url = {https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack}, language = {English}, urldate = {2019-10-23} } Cyber attackers target South Korea and US
Lazarus Group
2009-03-28Information Warfare MonitorInformation Warfare Monitor
@techreport{monitor:20090328:tracking:dffad13, author = {Information Warfare Monitor}, title = {{Tracking GhostNet: Investigating a Cyber Espionage Network}}, date = {2009-03-28}, institution = {Information Warfare Monitor}, url = {http://www.nartv.org/mirror/ghostnet.pdf}, language = {English}, urldate = {2020-04-23} } Tracking GhostNet: Investigating a Cyber Espionage Network
Ghost RAT GhostNet

Credits: MISP Project